DNSSEC intervals

Ted Cooper ml-daneusers-xv.i at elcsplace.com
Fri Jan 23 02:32:57 CET 2015

On 23/01/15 04:50, John wrote:
> Why a formal period between "ready" and "active", surely if the
> publishing period is correctly chosen then a key is activated when
> ready. Similarly when a key has reach the end of its retirement and is
> dead, surely it should be removed from the system asap. The more junk
> there is lying around the greater the likely hood of error.

The time period between "ready" and "active" is the allow for the key to
be returned in DNSKEY RR without that key actively being used in
signing. This prevents a caching resolver being caught between a key
rotation where it ends up with the old set of DNSKEY cached, and RRs
signed with a new key not in that set.

The same mechanism can also be used to have an key ready for emergency
rotation. They key is already published and can be used for signing
immediately, rather than waiting for TTLs.

At the other end, the time between active and unpublished is to allow
for resolvers to be able to validate their old signed RR with the old
DNSKEY until TTL for everything has passed.

More information about the dane-users mailing list